09/25/2025-10/01/2025 New Malicious Rust Crates Impersonating fast_log, Fortra GoAnywhere CVSS 10 Flaw, Critical Linux Sudo Flaw And More.

1. Salesforce Patches CRM Data Exfiltration Vulnerability

AI security vendor Noma Labs uncovered a chain of indirect prompt injection flaws in Salesforce’s AI tools, dubbing the attack “ForcedLeak.” Reported July 28 with a CVSS-equivalent score of 9.4, the issue was patched by Sept. 8 in both Agentforce and Einstein. Researchers showed that Salesforce’s Web-to-Lead form, which accepts up to 42,000 characters in its description field, could be abused to inject hidden instructions. These instructed Agentforce agents to exfiltrate sensitive data to attacker-controlled servers. Normally blocked by Salesforce’s Content Security Policy, the exploit worked because Salesforce failed to retain ownership of a whitelisted domain, which Noma re-registered for $5. Salesforce has since re-secured the domain and added stronger URL allowlists to block untrusted links. Experts warn that indirect prompt injections—hidden in external data like emails or forms—are a growing risk for “agentic” AI systems. Security leaders stress that AI assistants must be sandboxed and treated as part of the attack surface.

2. New Malicious Rust Crates Impersonating fast_log to Steal Solana and Ethereum Wallet Keys

In a sophisticated supply chain attack, cybercriminals have targeted cryptocurrency developers using malicious Rust crates. The fraudulent packages, faster_log and async_println, impersonated the legitimate fast_log library and were published on May 25, 2025.

These packages, which accumulated thousands of downloads, maintained functional logging to evade detection while secretly scanning developers’ source files. The malicious code used regular expressions to hunt for and steal Solana and Ethereum private keys. Any discovered credentials were immediately exfiltrated to an attacker-controlled server disguised as legitimate Solana infrastructure.

This attack exploits trust in package repositories, demonstrating how minimal, hidden code modifications can create significant security risks. By maintaining the expected functionality, the malicious crates operated undetected within development environments, successfully stealing sensitive cryptocurrency keys.

3. Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure

watchTowr Labs says it has “credible evidence” that CVE-2025-10035 — a deserialization flaw in Fortra GoAnywhere MFT — was exploited in the wild as early as Sept. 10, 2025, a week before public disclosure. The bug can enable unauthenticated command injection via the License Servlet; Fortra released fixes in GoAnywhere 7.8.4 and Sustain 7.6.3.

watchTowr’s analysis and Rapid7’s follow-up describe a chain of issues: a long-known access-control bypass, the unsafe deserialization (CVE-2025-10035), and a remaining mystery allowing attackers to learn a private key. watchTowr shared exploitation evidence showing attackers achieved RCE, created an “admin-go” account, added a web user, and uploaded payloads (including SimpleHelp and an implant named “zato_be.exe”). The activity traced to IP 155.2.190[.]197.

CISA has confirmed active exploitation and mandated fixes for federal agencies by Oct. 20, 2025. watchTowr’s CEO urged Fortra to be more transparent about in-the-wild attacks and the remaining unanswered technical questions.

4. Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

NVISO Labs says CVE-2025-41244 — a local privilege escalation in Broadcom VMware Tools and VMware Aria Operations — was exploited in the wild by UNC5174 from mid-October 2024. The bug (CVSS 7.8) affects numerous VMware releases, including VMware Cloud Foundation, vSphere, Aria Operations, VMware Tools (11–13.x), and Telco Cloud products. Because it’s a local escalation, an attacker must first obtain access to a VM with VMware Tools and SDMP enabled. NVISO credited Maxime Thiebaut for reporting the issue on May 19, 2025. VMware Tools 12.4.9 (part of 12.5.4) and forthcoming open-vm-tools updates remediate the flaw for affected platforms.

The root cause is a vulnerable get_version() routine that uses broad regex (\S), allowing non-system binaries (e. g., /tmp/httpd) to be treated as system services. An unprivileged user can stage a malicious binary that gets executed with elevated privileges. NVISO observed UNC5174 staging /tmp/httpd to spawn an elevated shell; the exact payloads remain unclear. The report warns other malware may have unintentionally exploited this pattern for years.

5. CISA Warns of Critical Linux Sudo Flaw Exploited in Attacks

Hackers are actively exploiting a critical flaw (CVE-2025-32463) in the sudo package that lets local users gain root privileges on Linux systems. CISA has added it to its KEV catalog and ordered federal agencies to patch or discontinue sudo by October 20, 2025.

The bug, rated 9.3/10 in severity, affects sudo versions 1.9.14–1.9.17. It stems from sudo’s -R (--chroot) option, which attackers can abuse to run arbitrary commands as root even if they’re not in the sudoers file. Researcher Rich Mirch discovered the flaw, noting it impacts default configurations and requires no predefined user rules.
Disclosed June 30, the vulnerability has been present since June 2023. A proof-of-concept exploit was released July 4, and other exploits have since circulated. CISA confirmed active attacks but gave no details. Organizations are urged to prioritize patching and follow KEV guidance to mitigate risk.

6. First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package

Researchers have uncovered the first known malicious Model Context Protocol (MCP) server, raising new supply chain concerns. Security firm Koi Security found a rogue npm package, “postmark-mcp,” uploaded on Sept. 15, 2025, by developer “phanpak,” who maintains 31 other packages. The fake library mimicked the official Postmark Labs project but introduced a backdoor in version 1.0.16, released Sept. 17.

The backdoor silently BCC’d every email sent via the MCP server to phan@giftshop[.]club, exposing potentially sensitive data such as invoices, password resets, and internal memos. The package was downloaded 1,643 times before its removal.

The attack was “embarrassingly simple — one line of code, thousands of stolen emails.” Snyk warned MCP servers often run with high trust inside AI workflows, making them especially risky targets.

Users are urged to remove the npm package, rotate exposed credentials, and audit email logs. Postmark confirmed the package was unaffiliated and that its services remain secure.